Issue:
How to configure Elements Endpoint Protection (PSB) Software Updater (SWUP) Proxy with F-Secure Endpoint Proxy?
Resolution:
You need to do the following to setup F-Secure Endpoint Proxy to offer software updates:
1. Install F-Secure Policy Manager Proxy following the steps documented in the guide:
Obtain and prepare a certificate
You need to obtain an SSL certificate from your certificate authority (CA) vendor and make sure, that this certificate is signed by a party, that is trusted on all your computers. Also, you need to make sure, that your certificate is in PKCS 12 format (this format usually has file extensions *.p12 or *.pfx, you can convert the certificate to PKCS 12 format, the party providing the certificate should be able to provide you instructions).
Then you need to import PKCS 7 certificate to a keystore. You can do this with the following command:
Import the certificate to the keystore
%JDK_HOME%/bin/keytool -importcert -alias server -keystore %PATH_TO_KEYSTORE% -file <path-to-chain-p7.pem> |
Where:
- JDK_HOME is your java installation directory.
- PATH_TO_KEYSTORE is a path to an existing or new keystore.
For example, on Windows this command may look like this:
Import the certificate to the Keystore
C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool -importcert -alias server -keystore server.p12 -file mycertchain.pem |
Replace the default Policy Manager Proxy
Java applications expect all certificates to be stored in the java keystore. New certificates can be imported using the key tool which is located under the java installation locations bin directory. You can import the certificate to the keystore with the following command:
Import the certificate to the keystore
%JDK_HOME%/bin/keytool -importkeystore
-destkeystore "%FSPMS_HOME%\data\fspms.jks"
-deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD
-srckeystore <MyCert.p12> -srcstoretype PKCS12 -srcstorepass <yourcertpassword> -srcalias %ALIAS% |
Where:
- %JDK_HOME% with your java installation directory.
- %FSPMS_HOME% with your PMP proxy installation directory.
- %ALIAS% with the preferred alias for the certificate in the keystore.
For example, on Windows this command may look like this:
Import the certificate to the keystore
"C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool" -importkeystore
-destkeystore "C:\Program Files (x86)\F-Secure\Management Server 5\data\fspms.jks"
-deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD
-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass <yourcertpassword> -srcalias server
Existing entry alias server exists, overwrite? [no]:
-> yes |
Configure your Policy Manager Proxy to use HTTPS
- Navigate in the registry to "HKLM\SOFTWARE\Wow6432Node\DataFellows\F-Secure\Management Server"
- Add "-DpsbProxyMode=true" to "additional_java_args"
- Check that "HttpsPortNum" is 443 (If isn't change it to 443 decimal value)
- Exit registry editor and restart PMP proxy
Ready to Go
Now your F-Secure Endpoint Proxy is configured to work with Software Updater. If you want to know more about how Software Updater works with F-Secure Endpoint Proxy, you can check the "Additional Information" section below.
How to configure client machines when PMP is using a self-signed (not trusted/commercial) certificate
WARNING: Use this guide only for testing purposes as it's a less secure way to serve installation packages.
If you decided for testing purposes to use a not trusted certificate, then you need to make this certificate trusted on every client machine, which is working together with Policy Manager Proxy, otherwise, Software Updater is not able to establish a connection to PM Proxy as the connection is untrusted.
To set up a client environment you need to open a Microsoft Management Console (open start menu, type there mmc and run it with administrator privileges:
Then press File → Add/Remove snap-in...:
Select Certificates on the left side menu and press the Add button, then press the OK button.
Then on the left sidebar, you need to navigate to Console Root → Certificates → Trusted Root Certification Authorities → Certificates:
Right-click on Certificates and select All tasks → Import...
Follow the wizard and choose your generated CA certificate, that you need to make trust.
Additional Information
F-Secure Proxy mode
Software Updater and F-Secure Proxy can work together in 3 modes: use always only F-Secure Proxy, use F-Secure Proxy only if possible or never use F-Secure Proxy.
Depending on the selected mode, Software Updater may act differently.
- "Always" means, that Software Updater always uses only F-Secure Proxy and never downloads installation packages from the outer Internet.
- "If possible" means, that Software Updater tries to download an installation package from F-Secure Proxy three times, and if all three times it failed to download the package, then it goes to the outer Internet.
- "Never" means, that Software Updater does not use F-Secure Proxy at all.
Article no: 000019006